Skip to content

Signed Audit Events

Jump to bottom
Endi S. Dewata edited this page May 19, 2023 · 22 revisions

Overview

This page describes audit events that are common in all PKI subsystems. The complete list of events, the message format, and the event description are stored in audit-events.properties.

Subsystem-specific audit events are described in the following pages:

Authentication Events

AUTH_SUCCESS

This event is triggered when authentication succeeded.

Properties:

  • Outcome should always be Success in this event

  • AuthMgr must be the authentication manager instance name that did this authentication

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTH.

AUTH_FAIL

This event is triggered when authentication fails (in case of SSL-client auth, only webserver env can pick up the SSL violation; CS authMgr can pick up certificate mis-match, so this event is used).

Properties:

  • Outcome should always be Failure in this event (obviously, if authentication failed, you won’t have a valid SubjectID, so in this case, SubjectID should be $Unidentified$)

  • AuthMgr must be the authentication manager instance name that did this authentication

  • AttemptedCred must be the credential attempted and failed

For example, start PKI console and login with a wrong password. The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTH.

AUTH

In PKI 10.5 the AUTH_SUCCESS and AUTH_FAIL events have been merged into AUTH event.

Authorization Events

AUTHZ_SUCCESS

This event is triggered when authorization is successful.

Properties:

  • Outcome must be Success for this event

  • aclResource must be the ACL resource ID as defined in ACL resource list

  • Op must be one of the operations as defined with the ACL statement, e.g. read for an ACL statement containing (read,write)

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ_FAIL

This event is triggered when authorization has failed.

Properties:

  • Outcome must be Failure for this event

  • aclResource must be the ACL resource ID as defined in ACL resource list

  • Op must be one of the operations as defined with the ACL statement, e.g. read for an ACL statement containing (read,write)

For example, execute the following command:

$ pki -n caadmin ca-audit-file-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.log.content.signedAudit][Op=read][Info=Authorization Error] authorization failure
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ

In PKI 10.5 the AUTHZ_SUCCESS and AUTHZ_FAIL events have been merged into AUTHZ event.

ROLE_ASSUME

Configuration Events

CONFIG_AUTH

CONFIG_ROLE

CONFIG_SIGNED_AUDIT

CONFIG_TRUSTED_PUBLIC_KEY

Access Session Events

ACCESS_SESSION_ESTABLISH_SUCCESS

This event is triggered when PKI client managed to establish a secure connection to PKI server successfully.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN

  • Outcome: Success

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to ACCESS_SESSION_ESTABLISH.

ACCESS_SESSION_ESTABLISH_FAILURE

This event is triggered when PKI client failed to establish a secure connection to PKI server.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN if known

  • Outcome: Failure

  • Info: Failure reason

For example, configure CLI to use a cipher that is disabled on the server:

SSL_CIPHERS="TLS_RSA_WITH_AES_128_CBC_SHA256"
SSL_DEFAULT_CIPHERS="false"

Then execute a CLI command that uses SSL:

$ pki -n caadmin ca-user-find

The operation will fail and the server will generate the following log:

[AuditEvent=ACCESS_SESSION_ESTABLISH_FAILURE][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Failure][Info=HANDSHAKE_FAILURE] access session establish failure

In PKI 10.5 this event is renamed to ACCESS_SESSION_ESTABLISH.

ACCESS_SESSION_ESTABLISH

In PKI 10.5 the ACCESS_SESSION_ESTABLISH_SUCCESS and ACCESS_SESSION_ESTABLISH_FAIL events are merged into ACCESS_SESSION_ESTABLISH event.

ACCESS_SESSION_TERMINATED

This event is triggered when the secure connection between PKI client and PKI server is terminated.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN

  • Outcome: Success

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Outbound Connection Events

OUTBOUND_CONNECTION_ESTABLISH

OUTBOUND_CONNECTION_TERMINATED

Random Number Generator Events

RANDOM_GENERATION

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally